We have a requirement wherein we want to check if logs have not been updated in last 24 hours. There are around 20 indexes that we want to search on at the same time and each of those indexes gets data from 3 different hosts. Below is what we expect the output to be:

Index           Source  Host                     Last_Update_Time
Web_test    abc         prodpmwsv10   xyz
Web_test    abc         prodpmwsv11   mno
web_new    new1      prodpmwsv12   uip

We have used below query to achieve this but this just gives us the index and source. We want to include host as well as a part of the output.

Query-->

| eventcount summarize=false index=web_* | search NOT (index="web_rev3*" OR index="web_lgl" OR index="web_aqua")| dedup index | map maxsearches=100 search="| metadata type=sources index=\"$index$\" | eval index=\"$index$\""| eval age=now()-recentTime |search age>86400|convert ctime(recentTime)| eval age=round(age/3600, 2)|eval age=age+"hrs" |rename recentTime as "Last Update Time"| table index, source, "Last Update Time", age |sort -age| rename index as Index source as Source| rename age as "Hours since log was last updated"

Is there any way to do this? We tried to use another metadata command but that didn't help either.

Thanks.